Launchpad has imported 3 comments from the remote bug at http://sourceware.org/bugzilla/show_bug.cgi?id=1363.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2005-09-22T14:18:28+00:00 Kees-verruijt-redwood wrote: nscd_getpw_r() will free() on a static buffer passed in to it when called by getpwnam() and friends. This can be seen by simple code inspection in nscd/nscd_getpw_r.c. (discussion is based on CVS version 1.30 which is the current MAIN). The following excerpt are a few lines of nscd/nscd_getpw_r.c: 86:nscd_getpw_r (...) 96: retry:; 142: resultbuf->pw_uid = pw_resp->pw_uid; 203: if (__nscd_drop_map_ref (mapped, &gc_cycle) != 0 && retval != -1) 230: free (resultbuf); 232: goto retry; The above shows that if there has been a GC cycle that resultbuf is freed and then reused in the next retry. That's incorrect. It is also incorrect in that resultbuf is passed in, and it can be a buffer that's not from the heap. This turns up in a simple getpwnam() call made during a GC cycle. This tries to free the resbuf in getpwnam and thus dumps core. Suggested fix: remove free(resultbuf) (line 230). Reply at: https://bugs.launchpad.net/glibc/+bug/327705/comments/0 ------------------------------------------------------------------------ On 2005-09-22T14:30:22+00:00 Kees-verruijt-redwood wrote: Created attachment 665 glibc_1363_testcase1.c C source that might coredump; it just calls getpwnam() on different non-existing users. It coredumps the first call after the nscd daemon does GC. This is easiest to see by running the attached program and "nscd -d -d -d -d" in two adjacent sessions. As soon as I see "remove GETPWBYNAME entry "....."" by nscd the test program aborts. (Originally found on SuSE 9.3 x86_64 w/ glibc-2.3.4-23.4) Reply at: https://bugs.launchpad.net/glibc/+bug/327705/comments/1 ------------------------------------------------------------------------ On 2005-09-22T14:37:02+00:00 Drepper-fsp wrote: Fixed on CVS trunk. Reply at: https://bugs.launchpad.net/glibc/+bug/327705/comments/2 ** Changed in: glibc Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/327705 Title: nscd_getpw_r in libc6 crashes due to invalid free() -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
